Germany's cyber-security agency recommends Firefox as most secure browser

[badrabbit]

Threat model! Firefox indeed does excel for the average citizen in terms of security. While people that know some infosec think CVE count and exploit mitigation is a priority. It has auto update for known vulns, for 0days,people who are targeted by attackers willing to burn a browser 0day on them have a drastically different threat model than the average citizen and frankly using Chrome because of CVE count is a bad strategy if you're one of those people (bromium,qubes os and other segregation based appsec is worth a consideration).

You have to appreciate how much privacy counts (Chrome failed telemetry on the BSI test)

[ryanlol]

This is not completely ridiculous, but it’s exactly the sort of silliness you’d expect from bureaucrats (and zdnet!)

Firefox isn’t the most secure browser, it just checks the most boxes on this particular compliance checklist which doesn’t really assess the security of the browser.

[kerng]

They provide arguments and data points why Firefox is the most secure browser. This is not silly, but allows to have a good discussion. Care sharing other evaluation results from reputable sources?

[ryanlol]

They provide arguments and data points specifically designed to portray Firefox as the most secure browser.

They missed super important checkboxes like “site isolation”, which is a far more significant feature than most things included.

If this wasn’t bullshit there’d be boxes nobody checks, but right now they just took a list of firefox features and worked from there.

[yeahforsureman]

There's this: "Web pages need to be isolated from each other, ideally in the form of stand-alone processes. Thread-level isolation is also allowed."

[ryanlol]

Yeah, deliberately chosen so firefox will tick the box.

Firefox is testing site isolation but it isn’t ready yet, Chrome has it on by default.

Ask any firefox dev! They’ll tell you they’re far behind on this.

[trehalose]

Which boxes on this checklist are not components of browser security? I'm nothing like an expert on cybersecurity, but they generally seem relevant to me.

Conversely, what boxes would you say are missing?

[ryanlol]

My objection really has nothing to do with the specific boxes. This is just fundamentally the wrong approach, as is demonstrated by the fact that every browser except IE essentially got a perfect score except for telemetry.

Do you see a site isolation checkbox there btw? Missing one of the most important exploit mitigation technologies for browsers today strongly suggests that whoever made this list was either incompetent or deliberately picking boxes that firefox ticks.

I'd assume that instead of having actual browser security experts build this list they had some amateurs attempt to build a list of existing security "features" in browsers, which isn't a sane approach at all and is bound to get results like this. A good checklist would almost certainly have lots of boxes nobody ticks.

[kerng]

Telemetry seems like a big issue when its comes to security, and it's good to be explicitly called out in such evaluations.

[jammygit]

With telemetry, it’s by definition non-secure since it’s leaking your information by design

[ryanlol]

I'd argue that depends entirely on the contents of the telemetry, which don't appear to be a part of this assessment. Besides (since this isn't about defaults), if you're configuring your browser to disable telemetry couldn't you just as well configure your firewall to block it?

Automatic updates also tend to leak information by design.

But anyway, this has nothing to do with my larger point. A good checklist would certainly have lots of boxes nobody ticks, this one was clearly built around firefox feature lists (and maybe others, but not chrome as site isolation is left out).

[floatingatoll]

Which entries on the checklist do you feel are not appropriate to include in a security assessment?